github.com/DE-CIX/udp-dtls-wrapper

DE-CIX UDP-DTLS WRAPPER

This software provides functionality to a) pick up an UDP stream of data and transform it into an encrypted DTLS stream (bin/dtls-encrypter))and b) pick up an encrypted DTLS stream and transform it into an de-crypted UDP stream (bin/dtls-decrypter). This UDP-DTLS-wrapper finds application for encrypting IPFIX data trasported via UDP:2055 as a part of DE-CIX free-to-use product 'IPFIX Export'. Customers of that IXP can request their subset of IFPIX data generated by the peering platform. Their sensible data is encrypted on site and exported via DTLS. For decryption, the customers are free to use the hereby provided decrypter to reverse the encryption of their data. Exchange of key material is done automatically, so there is practically no overhead for the customer than to follow the steps given below. You can either compile the sources yourself, which requires a functioning Golang setup on your machine, or use thet pre-compiled binaries and jump right to the usage section. The pre-compiled binaries have been successfully tested on CentOS 7, kernel version 3.10.0-1160 and glibc version 2.17.

Setting up Go

According to the tutorial found here https://go.dev/doc/install the following steps must be taken to set up a Go environment for compilation

• wget https://go.dev/dl/go1.18.4.linux-amd64.tar.gz
• rm -rf /usr/local/go
• tar -C /usr/local -xzf go1.18.4.linux-amd64.tar.gz
• export PATH=$PATH:/usr/local/go/bin

Compilation

To compile, run

• git clone https://github.com/de-cix/udp-dtls-wrapper/
• cd udp-dtls-wrapper
• go mod tidy
• go build ./cmd/dtls-decrypter/main.go

In case of any trouble, please make sure that your Golang environment is properly configured ($GOPATH, $GOBIN, $GOROOT, etc.). Compilation verified on CentOS 7 (kernel 3.10.0-1160), Ubuntu 20.04 (kernel version 5.13.0-1031) Ubuntu 20.10 (kernel version 5.8.0-63-generic) with go version 1.13.3 and 1.16.

This will compile the DTLS decrypter for you. You can use the resulting file ("main") as described below.

Usage

• Log in to the DE-CIX customer portal: https://portal.de-cix.net/
• Click on 'Access & Services' in the top menu
• Select the service you want to export IPFIX data for by clicking on the pen-icon / edit-icon
• Switch to the 'Blackholing and Statistics' tab
• Enter your public IPv4 address (e.g. 10.0.0.42) where it says 'IPFIX'
• Hit 'Enable'
• Launch the dtls-decrypter on the host with that public IPv4 address using ./bin/dtls-decrypter -listen 10.0.0.42, or in case of self-compilation: ./main -listen 10.0.0.4
• You can also provide the dtls-decrypter with an optional argument using the -output flag to change the default destination of decrypted traffic, i.e.,, 127.0.0.1:2055 to any other IPv4 address or source port
• Do not forget to switch off your requested IPFIX Exports if you do not need them anymore
• You can now pick up your decrypted IPFIX data at the loopback interface on port 2055, or, if specified using -output : at any other IPv4 address on a configurable port